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Abstract 

One-way hash chains have been used in many micropayment schemes due to their 
simplicity and efficiency. In this paper we introduce the notion of multi-dimensional 
hash chains, which is a new generalization of traditional one-way hash chains. We 
show that this construction has storage-computational complexity of 0(log 2 N ) per 
chain element, which is comparable with the best result reported in recent literature. 
Based on multi-dimensional hash chains, we then propose two cash-like micropayment 
schemes, which have a number of advantages in terms of efficiency and security. We 
also point out some possible improvements to PayWord and similar schemes by using 
multi-dimensional hash chains. 


1 Introduction 

One-way hash chains are an important cryptographic primitive and have been used as a 
building block of a variety of cryptographic applications such as access control, one-time 
signature, electronic payment, on-line auction, etc. 

In particular, there are many nricropayment schemes based on one-way hash chains, 
including PayWord [5], NetCard _[I|, micro-iKP [3] and others. 

By definition, micropayments are electronic payments of low value. Other schemes 
designed for payments of high value normally use a digital signature to authenticate every 
payment made. Such an approach is not suitable for micropayments because of high 
computational cost and bank processing cost in comparison with the value of payment. 

The use of hash chains in micropaynrent schemes allows minimizing the use of digi¬ 
tal signature, whose computation is far slower than the computation of a hash function 
(according to jS], hash functions are about 100 times faster than RSA signature verifica¬ 
tion, and about 10,000 times faster than RSA signature generation). Moreover, because 
a whole hash chain is authenticated by a single digital signature on the root of chain, 
successive micropayments can be aggregated into a single larger payment, thus reducing 
bank processing cost. 

There are a variety of improvements to hash chains. For example, in the Pay Tree 
payment scheme |7j, Jutla and Yung generalized the hash chain to a hash tree. This 
construction allows the customer to use parts of a tree to pay different vendors. Recently, 
researchers have proposed a number of improved hash chains, which are more efficient in 
terms of computational overhead and storage requirement El nim a.. 
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This paper is organized as follows. In section 0 we introduce the notion of multi¬ 
dimensional hash chains (MDHC for short). We also analyze efficiency of this construction 
and show that RSA modular exponentiations could be used as one-way hash functions of a 
MDHC. Section 0 describes two cash-like micropayment schemes based on MDHC, which 
have a number of advantages in terms of efficiency and security. In section 0 we also 
examine some possible improvements to PayWord and similar schemes. Finally, section 0 
concludes the paper. 

2 Multi-Dimensional Hash Chain 

2.1 Motivation 

The notion of MDHC originates from one-way hash chains and one-way accumulators (2J. 
Here we briefly describe these two constructions. 

A hash chain is generated by applying a hash function multiple times. Suppose that we 
have a one-way hash function y = h(x) and some starting value x n . A hash chain consists 
of values xq,xi,x 2 , ■ • ■, x n where Xj = /i(xj+i) for i = 0,1, ...,n — 1. The value xo = h n (x n ) 
is called the root of hash chain. The figure below depicts a hash chain of size n: 

h h 

o <-o <-o -< 

X 0 JEj X 2 

Figure 1: A one-way hash chain 

In contrast, a one-way accumulator is the output of multiple hash functions, each of 
them applied only once: 

V = hi(h 2 (...(h m (x)))) 

In order to ensure that the output is uniquely determined regardless of the application 
order, functions hi, h 2 , •••, h m must be in pairs commutative, i.e. hi(hj{x)) = hj(hi(x)) for 
any x. 

Combining the two constructions described above, we define a multi-dimensional hash 
chain as the result of multiple applications of different commutative hash functions, so the 
root of an m-dimensional hash chain is: 

Xo = h?{h?(...{h%'(X N )))) 

It is necessary to note that MDHC differs from other generalizations of normal hash 
chain such as hash tree, which is used in Pay Tree scheme. In particular such trees are 
generated from multiple leaf nodes, while a MDHC is generated from a single starting 
value (i.e. the value Xn above). 

2.2 Definitions 

We begin with necessary definitions. 

Definition 1. Two functions h\, h 2 : X —► X are called commutative if h\(h 2 (x)) = 
h 2 (hi(x)) for any x £ X. 

Definition 2. A one-way function h : X —* Y is called one-way independent of one¬ 
way functions hi, h 2 ,..., h m of the same domain if for any x £ X, computing h~ l (x) is 
intractable even if values hf l (x), hf 1 ^),..., h^ n 1 (x) are known. 

And now we define MDHC as follows. 


h 

-o <-o 

*11-1 x n 
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Definition 3. Let fii,/i 2 , • • •, h m be m one-way hash functions that are in pairs commu¬ 
tative and every of them is one-way independent from all others. An m-dimensional hash 
chain of size (ni,n 2 , ...,n m ) consists of values Xk lt k 2 ,-,km where: 

Xki,k2,...,ki,...,k m — hi(^Xk lj k2,---,ki-\-l,...,k rn ) i — 1,2, ...,772. and k{ — 0, l,...,77j 

The value Xjy = x ni , n2 ,..., nrn is called the starting node, and the value Xq = xo,o,...o i s 
called the root of the MDHC, which is uniquely determined from X/v due to commutativity 
of hash functions: 

m 

x 0 = W{h?{...(hfr{x N m = n h?{x N ) 

1=1 

As an illustration, the figure below depicts a two-dimensional hash chain of size (3,2): 


*0 = * 0,0 * 1,0 

o -<-o 
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^ 0,1 O’* -o 
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o* -o 

A A 


o •<-o 

A A 



o* -o 

X N = x 32 


Figure 2: A two-dimensional hash chain 


2.3 Efficiency analysis 

In recent literature, there are a number of improvements to one-way hash chains that 
aim to be more efficient in terms of computational overhead and storage requirement. A 
widely used metric for one-way hash chain efficiency is the storage-computational com¬ 
plexity, which is the product of the traversal overhead and the storage required to compute 
consecutive nodes of the hash chain. 

It is easy to see that a linear hash chain size of n has storage-computational complexity 
of O(n). In fact, if we precompute and store all nodes (storage of O(n)), then no com¬ 
putation is needed when a node is requested (traversal of 0(1)). Alternatively, we can 
store only the starting value, and compute every node from the beginning each time it is 
requested. This approach requires storage of 0(1) and O(n) computations. Also, if we 
store each of t nodes, then storage of 0(n/t) and O(f) computations are required. So, in 
any case, the storage-computational complexity of the linear hash chain is 0(n). 

In J3 , HI ITT] the authors have proposed new techniques that make traversal and storage 
more efficient, which require 0 (log 2 ? 2 ) computations and 0(log 2 n) storage, resulting in 
storage-computational complexity of 0(log 2 2 n). Recently, Hu et al. |1| have presented a 
new hierarchical construction for one-way hash chains that requires 0(log 2 n) storage and 
only 0(1) traversal overhead. 

In our case of ??7-dimensional hash chain of size n (for simplicity we assume all dimen¬ 
sions have the same size ni = n 2 = ... = n m = n), the number of nodes is N = (to + l) m . 
If we store only the starting node of the chain (storage of 0(1)) then maximal number 
of calculations required to compute any node is nm = n log n+1 N , or log 2 N if we select 
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n = 1. In that case the storage-computational complexity of MDHC is 0( log 2 N ), which 
is equivalent to the results in [1]. 

The advantage of MDHC is its simple implementation that does not rely on the so- 
called pebbling technique, which is used in the constructions mentioned above. However, 
the main limitation of this construction is the fact that hash functions have to meet the 
conditions described in the definition of MDHC. The RSA modular exponentiation is 
known to meet these conditions, but it is not as fast as the traditional hash functions, e.g. 
MD5 or SHA. 

2.4 RSA modular exponentiation 

Let consider the function of RSA modular exponentiation: 

y = x c mod M 

where c is some constant value and M is an RSA modulus, which is a product of two large 
primes of equal bit length p and q. 

According to the RSA modular exponentiation functions with appropriately se¬ 
lected exponents could meet MDHC requirements. 

First, obviously these functions are in pairs commutative: hi(hj(x)) = x CiCj mod M = 
hj(hi(x )) 

Second, one-wayness of these functions is derived from the RSA assumption J5], which 
states that the problem of finding the modular root x = j/ 1//c mod M is intractable. 

Finally, regarding one-way independence of functions, Shamir m showed that if c is 
not a divisor of the product c\ C 2 ■■■c m then the modular roots y 1//ci mod M, y 1 ' C2 mod 
M, ..., y l / Crn mod M are insufficient to compute the value of y 1 / 0 mod M. 

Therefore we can use the functions of RSA modular exponentiation as one-way hash 
functions to construct multi-dimensional hash chains. 

In that case we have following recursive expression: 

Zfcl ,k 2 ,...,ki,...,km = (x kl ,k 2l ... 1 ki+l,...,km) Ci mod M for i = 1 i 2 > -) m and h = 0, 1, ..., Hi 

where ci, C 2 ,..., c m are exponents of RSA functions hi, / 12 , h m respectively. 

Note that if one knows the factorization of M (i.e. knows p and q), then one can 
compute Xq quickly by using following expression: 

m 

]Q c? mod E 

Xq = Xjsr i=1 mod M 

where E = = (p — l)(g — 1), and ip denotes the Euler’s totient function. 

The expression above consists of only one modular exponentiation with modulus M 
and log 2 N modular multiplications with modulus E. Since a multiplication is far faster 
than an exponentiation, this expression allows us to compute Xq from Xn in a very 
effective manner. 

3 Cash-like Schemes Based on MDHC 

Cash-like payment schemes use the notion of electronic coin, which is an authenticated 
(by the bank) bit string that is easy to verify, but hard to forge. Examples of such coin 
are hash collisions (as in MicroMint 0), or digital signatures (as in Ecash uni). 

Let’s recall the definition of MDHC. If we select the size of the hash chain with n = 1 
then all nodes Xi = xo,o,...,i,...o (with all kj^i = 0, except fc* = 1) have the same hash 
value: hi(Xi) = Xq. So we can use a pair {Xj, hi) as an electronic coin since: 
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- It is easy to verify by just one hashing. 

- It is hard to forge because hash functions hi are one-way, and their one-way inde¬ 
pendence assures that coin forgery is impossible even if one knows other coins with 
the same root X$. 

As a proof of that concept, we suggest two micropayment schemes based on MDHC 
with the RSA modular exponentiation. We refer to these as SI and S2 schemes. 

3.1 The SI scheme 

We assume that there are three parties involved in a micropayment scheme, namely a 
bank (B), a customer (C) and a vendor (V). B is trusted by both C and V. 

Setup: 

B selects an RSA modulus M = pq where p and q are large safe primes of equal bit 
length. A prime p is called safe if p = 2 p' + 1 where p' is also an odd prime. 

- B chooses m constant values ci, C 2 ,..., c m that satisfy the condition of one-way inde¬ 
pendence, i.e. each c t is not a factor of Ylj^i c j- These values together with modulus 
M are public parameters and can be used for multiple coin generations. 

- To generate m coins, B picks a random value Xn and computes: 

C = ciC 2 -..c m mod E where E = (jp — l)(q — 1) 

Xo = MM-(M^v)))) = X N C mod M 

Xi = h 1 (h 2 (...(h i - 1 (h i+1 (...(h m (X N ))))))) = X N Cc ‘ _1 m ° dE mod M,i = 1,..., m 

Now B has m coins (Xi, cf). 

- B keeps Xq in a public list of coin roots. 

- For prevention of double-spending B keeps another list of all unspent coins. In 
addition, B can also generate vendor-specific as well as customer-specific coins by 
using some bit portions of constants q to form vendor ID and customer ID, similar 
to the technique used in MicroMint scheme. 

C buys a sufficiently large number of coins from B before making purchases. 
Payment: 

- C pays a coin (Xi,Ci) to vendor V. 

V verifies the coin by computing Xo = Xf‘ mod M, and checks if Xo is in the list of 
coin roots. Note that this list is relative small and does not change frequently so C 
could keep it locally. 

- To assure that a coin was not double-spent, V either checks the list of unspent coins 
on-line with B, or checks (off-line) the list of coins he already received if the coin is 
vendor-specific. 

Redemption: 

V deposits the coins he got from customers to B and receives an amount correspond¬ 
ing to number of coins. 

At the end of the coin validity period, C can sell unused coins back to B or exchange 
them for new coins. 

The proposed above scheme has several advantages: 

- Coins are hard to forge under the RSA assumption. 

Payment can be made off-line by using vendor-specific coins. 


5 



- If customer-specific coins are not used, the scheme is anonymous and untraceable 
because coins contain no customer information and there are no links between coins. 

However, the disadvantages of this scheme are: 

- Generation and verification of coins is not very efficient. Each coin requires one 
modular exponentiation to generate or verify it, which is much slower than normal 
hash calculation. 

- The list of unspent coins can be very big, though this is a common problem of most 
coin-based schemes. 

To overcome these disadvantages, we propose a modified scheme with larger size hash 
chains (i.e. with n > 1). In this scheme, B generates m chains of coins at once, rather 
than m single coins. Each coin chain is similar to the hash chain used in the PayWord 
scheme. 


3.2 The S2 scheme 

Setup: 

B selects public parameters M and ci, C 2 ,..., c m in the same way as in the SI scheme. 
Let n be the size of the hash chains (for simplicity we assume all dimensions have 
the same size i.e. n\ = ri 2 = ... = n m = n). 

B picks a random value X jv and computes: 

C = c”c 2 -..c^ mod E where E = (p — l)(q — 1) 

Xq = X N C mod M 

Xi = X N CCl m ° d E mod M for i = 1,2,..., m 

Now B has m coin chains (X t , c t ). Each of those chains contains exactly n coins 
(■ Xij,Ci,j ) for j = 1,2,..., n where: 


x ij = x i ^ +1 mod M for i = 1,2,..., m and j = 0,1,..., n — 1 
Xi, n = Xi and x i>0 = X 0 

The coins from one coin chain must be paid to the same vendor. 

- For double-spending prevention, now there is no need to keep track of all unspent 
coins. Instead, B keeps the list of first coins of all unused chains. 

- As in the SI scheme, coin chains can be vendor-specific as well as customer-specific. 
C buys coin chains from B before making purchases. 

Payment: 

C pays a vendor V the coins from a coin chain. The first coin of the chain (xj i, c*, 1) 
is verified by computing Xo = x ^o = x?{ mod M and lookup of Xq in the list of 
chain roots. It is also checked for double-spending by lookup in the list of unused 
chains. Any subsequent coin is verified by checking that it hashes to the previous 
coin in the chain, as in the PayWord scheme: 


Redemption: 


hi(xij+ 1 ) = Xjjli mod M = Xij 


V deposits the last coin (i.e. the coin with highest index j ) of each coin chain he got 
from customers to B and receives an amount corresponding to number of coins. 
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Comparing with the SI scheme, this modified scheme retains all advantages of SI, but 
storage requirement is reduced by factor of n. In fact, B keeps track of only the first coins 
of n-coin chains. 

Another advantage of this scheme is more efficient coin generation. Because B knows 
the factorization of M, he can compute the starting node of a coin chain by just one modular 
exponentiation. Thus the cost of this computational expensive operation is shared over 
all coins of the chain. Similarly, B can also verify coin chains that he got from vendors by 
computing one modular exponentiation per chain. 

Generally speaking, the S2 scheme combines the advantages of two approaches. A 
first approach uses unrelated coins that are convenient for payments to multiple vendors. 
Another approach uses chains of coins that are easy to generate and verify. In our scheme 
different coin chains are unrelated, while coins within a chain are generated and verified 
only by repeated hashing. 

4 Improve Pay Word Scheme by Using MDHC 

The Pay Word scheme has been proposed in jH] - It is based on one-way hash chains 
described in the section |21 In this scheme, before making purchases a customer C generates 
a hash chain xq,x\, ...x n (that is a chain of paywords) and sends his signature of the root 
xq to the vendor V. The customer then makes a payment to V by revealing the next 
payword, which can be verified by checking that it hashes to the previous payword. 

The PayWord scheme allows a vendor to aggregate successive payments from a cus¬ 
tomer by sending only last payword he got from the customer to the bank for redemption. 
However, a vendor cannot aggregate payments of different customers, nor can a customer 
use the same chain of paywords to make payments to different vendors, because there is 
no way to merge different hash chains. 

By using MDHC, we can improve PayWord scheme in a number of ways. Below we 
briefly describe two of such possible improvements. Note that some irrelevant details in 
these descriptions are omitted for convenience. 

4.1 Multiple denominations 

In the original PayWord scheme the size of the hash chain must be large enough. For 
example, if each micropayment is worth 1 cent and total payment is up to $100, then a 
chain with size of 10,000 must be generated, which requires 10,000 hash calculations. 

We can reduce the number of hash calculations by using MDHC instead of linear hash 
chain. The idea is that every dimension of MDHC will be associated with different weight 
(or denomination) according to some number system (e.g. decimal or binary). 

Suppose we have an m-dimensional hash chain with size of n. If one step in the 
( i+l) th dimension is equivalent to (n + 1) steps in i th dimension, then a node Xk lt k 2 ,-,k m 
corresponds to the value: 

k\ + k, 2 {n + 1) + k^in + 1)^ + ... + k m (n + l) m 

The maximal value that could be represented by this hash chain is N = (n + l) m — 1 
and the number of hash calculations required to generate the hash chain is nlog n+1 (A^-|-l). 
In the case of a binary number system (i.e. n = 1) it is log 2 (A r + 1). 

Returning to the example above, the hash chain now requires just 14 calculations to 
generate. 

Similarly, verification of the payword also requires significantly less calculations than 
in the case of the original PayWord scheme. 
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4.2 Multiple vendors 

In the Pay Word scheme a hash chain can be used for payments to only one vendor. A 
customer must generate different hash chains for payment to different vendors. 

We can overcome this drawback by using MDHC as well. Let every vendor Vj in the 
payment system is assigned a different hash function h, (i.e. a public parameter q in the 
case of RSA modular exponentiation). 

Now, in order to make payment to m different vendors, a customer generates an m- 
dimensional hash chain with their public parameters c t and signs its root. The customer 
then makes a payment to Vj by revealing the next payword in the i th dimension, starting 
from the root of hash chain. 

In particular, if the current payword is ®fe 1 ,fe 2 ,...,it i ,...,fe m) the next payword in i th dimen¬ 
sion will be x ku k 2 ,...,ki+i,...,km- 

At the end of the day, vendors deposit the last paywords they got to the bank for 
redemption. The bank picks the last payword (which is the one with highest indices) 
among paywords with certain root (which all come from one customer). Finally, the bank 
credits vendors Vj by the amount equivalent to hi, and debits the customer’s account 
accordingly. 

There could be other possible improvements to the PayWord scheme by using MDHC. 
For example we can aggregate payments of different customers into a single MDHC that 
is generated by the bank, or we can construct a payment scheme with multiple currencies, 
etc. 

5 Conclusion 

The proposed multi-dimensional hash chain is a simple and efficient construction for one¬ 
way hash chains. Whereas a traditional one-way hash chain has a storage-computational 
complexity of O(n), our construction achieves a complexity of 0( log 2 n), which is compa¬ 
rable with the best result among other recently proposed constructions. 

We show that multi-dimensional hash chains can be very useful in micropayment 
schemes. In particular, we suggest two cash-like micropayment schemes based on MDHC 
with RSA modular exponentiation as one-way hash function. The first scheme utilizes 
coins that are hard to forge under the RSA assumption. This scheme could be also off-line 
and untraceable. The second scheme has additional advantages including very efficient 
coin generation/verification and much less storage requirements. 

We also point out some possible improvements to PayWord and similar schemes by 
using MDHC, including payword chains with multiple denominations, and a scheme that 
allows payment to multiple vendors using the same payword chain. 

An open issue for our construction is whether another one-way hash function can be 
found that meets MDHC requirements, and at the same time is more efficient than RSA 
modular exponentiation. 
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